[ Bug Verification ] Looks good to me. There are total 245 rules and out of that 44 rules are passed and 196 rules are failed before remediations get applied. The auto-remediations applied total 102 rules and after rescan performed total 101 rules are passed and 1 skipped [101 (PASS) + 1 (SKIP) = 102 ] So total 145 rules are passed [44 + 101 (PASS) = 145 ] after remediations get applied. Verified on: 4.6.0-0.nightly-2021-01-30-211400 compliance-operator.v0.1.25 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.nightly-2021-01-30-211400 True False 4h51m Cluster version is 4.6.0-0.nightly-2021-01-30-211400 $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.25 Compliance Operator 0.1.25 Succeeded elasticsearch-operator.4.6.0-202101300140.p0 OpenShift Elasticsearch Operator 4.6.0-202101300140.p0 Succeeded $ oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-6995fbbf5b-km9f4 1/1 Running 0 4h36m ocp4-openshift-compliance-pp-c4898f8b-zrdxr 1/1 Running 0 159m rhcos4-openshift-compliance-pp-86d8d69446-29rct 1/1 Running 0 165m $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-134-186.us-east-2.compute.internal Ready master 5h27m v1.19.0+e49167a ip-10-0-150-230.us-east-2.compute.internal Ready worker 5h22m v1.19.0+e49167a ip-10-0-169-137.us-east-2.compute.internal Ready master 5h27m v1.19.0+e49167a ip-10-0-180-200.us-east-2.compute.internal Ready worker 5h22m v1.19.0+e49167a ip-10-0-194-66.us-east-2.compute.internal Ready worker 5h22m v1.19.0+e49167a ip-10-0-222-188.us-east-2.compute.internal Ready master 5h28m v1.19.0+e49167a $ oc label node ip-10-0-194-66.us-east-2.compute.internal node-role.kubernetes.io/wscan= node/ip-10-0-194-66.us-east-2.compute.internal labeled $ oc create -f - <<EOF > apiVersion: machineconfiguration.openshift.io/v1 > kind: MachineConfigPool > metadata: > name: wscan > spec: > machineConfigSelector: > matchExpressions: > - {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,wscan]} > nodeSelector: > matchLabels: > node-role.kubernetes.io/wscan: "" > EOF machineconfigpool.machineconfiguration.openshift.io/wscan created $ oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-31168e44adda32d56e549e8aa20ee1b8 True False False 3 3 3 0 5h35m worker rendered-worker-3d8536c23324c8f4d1b41bc37d8332bf True False False 2 2 2 0 5h35m wscan rendered-wscan-3d8536c23324c8f4d1b41bc37d8332bf True False False 1 1 1 0 6m47s $ oc create -f - << EOF { "kind": "List", "apiVersion": "v1", "metadata": {}, "items": [ { "apiVersion": "compliance.openshift.io/v1alpha1", "kind": "ComplianceSuite", "metadata": { "name": "worker-compliancesuite", "namespace": "openshift-compliance" }, "spec": { "autoApplyRemediations": true, "scans": [ { "content": "ssg-rhcos4-ds.xml", "contentImage": "quay.io/complianceascode/ocp4:latest", "debug": true, "name": "worker-scan", "noExternalResources": false, "nodeSelector": { "node-role.kubernetes.io/wscan": "" }, "profile": "xccdf_org.ssgproject.content_profile_moderate", "rawResultStorage": { "rotation": 0, "size": "" }, "rule": "", "scanType": "" } ], "schedule": "0 1 * * *" } } ] EOF } compliancesuite.compliance.openshift.io/worker-compliancesuite created $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-worker-scan 0/1 Completed 0 58s compliance-operator-6995fbbf5b-km9f4 1/1 Running 0 5h10m ocp4-openshift-compliance-pp-c4898f8b-n2fq9 1/1 Running 0 12m rhcos4-openshift-compliance-pp-86d8d69446-8xskk 1/1 Running 0 12m worker-scan-ip-10-0-194-66.us-east-2.compute.internal-pod 0/2 Completed 0 4m18s $ oc get compliancecheckresults.compliance.openshift.io -l compliance.openshift.io/scan-name=worker-scan | grep -E "PASS|FAIL|INFO|SKIP" | wc -l 245 $ oc get compliancecheckresults.compliance.openshift.io | grep PASS | wc -l 44 $ oc get compliancecheckresults.compliance.openshift.io | grep FAIL | wc -l 196 $ oc get compliancecheckresults.compliance.openshift.io | grep SKIP | wc -l 1 $ oc get complianceremediation | grep Applied | wc -l 102 $ oc get mc -l compliance.openshift.io/scan-name=worker-compliancesuite |grep -v "AGE" |wc -l 102 $ oc get mc -l compliance.openshift.io/scan-name=worker-compliancesuite |head NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 75-worker-scan-audit-rules-dac-modification-chmod 3.1.0 3m54s 75-worker-scan-audit-rules-dac-modification-chown 3.1.0 3m58s 75-worker-scan-audit-rules-dac-modification-fchmod 3.1.0 3m55s 75-worker-scan-audit-rules-dac-modification-fchmodat 3.1.0 4m5s 75-worker-scan-audit-rules-dac-modification-fchown 3.1.0 3m54s 75-worker-scan-audit-rules-dac-modification-fchownat 3.1.0 3m58s 75-worker-scan-audit-rules-dac-modification-fremovexattr 3.1.0 3m57s 75-worker-scan-audit-rules-dac-modification-fsetxattr 3.1.0 4m1s 75-worker-scan-audit-rules-dac-modification-lchown 3.1.0 3m57s $ oc describe complianceremediations worker-scan-audit-rules-dac-modification-chmod |tail Files: Contents: Source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A Mode: 420 Overwrite: true Path: /etc/audit/rules.d/75-chmod_dac_modification.rules Outdated: Status: Application State: Applied Events: <none> $ oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-31168e44adda32d56e549e8aa20ee1b8 True False False 3 3 3 0 5h54m worker rendered-worker-310680ddccf8fe820efc58f903433092 True False False 2 2 2 0 5h54m wscan rendered-wscan-310680ddccf8fe820efc58f903433092 False True False 1 0 0 0 25m $ oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-31168e44adda32d56e549e8aa20ee1b8 True False False 3 3 3 0 5h57m worker rendered-worker-310680ddccf8fe820efc58f903433092 True False False 2 2 2 0 5h57m wscan rendered-wscan-38e759525988dfe854712931fa8d6ef3 True False False 1 1 1 0 29m $ oc annotate compliancescans/worker-scan compliance.openshift.io/rescan= compliancescan.compliance.openshift.io/worker-scan annotated $ oc get compliancesuite -w NAME PHASE RESULT worker-compliancesuite RUNNING NOT-AVAILABLE worker-compliancesuite AGGREGATING NOT-AVAILABLE worker-compliancesuite DONE NON-COMPLIANT $ oc get compliancecheckresults.compliance.openshift.io | grep PASS | wc -l 145 $ oc get compliancecheckresults.compliance.openshift.io | grep FAIL | wc -l 95 $ oc get compliancecheckresults.compliance.openshift.io | grep INFO | wc -l 4 $ oc get compliancecheckresults.compliance.openshift.io | grep SKIP | wc -l 1 $ oc get mc -l compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=wscan | grep privileged 75-worker-scan-audit-rules-privileged-commands-at 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-chage 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-chsh 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-crontab 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-gpasswd 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-mount 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-newgidmap 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-newgrp 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-newuidmap 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-pam-timestamp-check 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-passwd 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-postdrop 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-postqueue 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-pt-chown 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-ssh-keysign 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-su 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-sudo 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-sudoedit 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-umount 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-unix-chkpwd 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-userhelper 3.1.0 22m 75-worker-scan-audit-rules-privileged-commands-usernetctl 3.1.0 22m 75-worker-scan-sysctl-kernel-unprivileged-bpf-disabled 3.1.0 22m $ oc get complianceremediations.compliance.openshift.io | grep privileged worker-scan-audit-rules-privileged-commands-at Applied worker-scan-audit-rules-privileged-commands-chage Applied worker-scan-audit-rules-privileged-commands-chsh Applied worker-scan-audit-rules-privileged-commands-crontab Applied worker-scan-audit-rules-privileged-commands-gpasswd Applied worker-scan-audit-rules-privileged-commands-mount Applied worker-scan-audit-rules-privileged-commands-newgidmap Applied worker-scan-audit-rules-privileged-commands-newgrp Applied worker-scan-audit-rules-privileged-commands-newuidmap Applied worker-scan-audit-rules-privileged-commands-pam-timestamp-check Applied worker-scan-audit-rules-privileged-commands-passwd Applied worker-scan-audit-rules-privileged-commands-postdrop Applied worker-scan-audit-rules-privileged-commands-postqueue Applied worker-scan-audit-rules-privileged-commands-pt-chown Applied worker-scan-audit-rules-privileged-commands-ssh-keysign Applied worker-scan-audit-rules-privileged-commands-su Applied worker-scan-audit-rules-privileged-commands-sudo Applied worker-scan-audit-rules-privileged-commands-sudoedit Applied worker-scan-audit-rules-privileged-commands-umount Applied worker-scan-audit-rules-privileged-commands-unix-chkpwd Applied worker-scan-audit-rules-privileged-commands-userhelper Applied worker-scan-audit-rules-privileged-commands-usernetctl Applied worker-scan-sysctl-kernel-unprivileged-bpf-disabled Applied $ oc get compliancecheckresult.compliance.openshift.io |grep privileged worker-scan-audit-rules-privileged-commands FAIL medium worker-scan-audit-rules-privileged-commands-at PASS medium worker-scan-audit-rules-privileged-commands-chage PASS medium worker-scan-audit-rules-privileged-commands-chsh PASS medium worker-scan-audit-rules-privileged-commands-crontab PASS medium worker-scan-audit-rules-privileged-commands-gpasswd PASS medium worker-scan-audit-rules-privileged-commands-mount PASS medium worker-scan-audit-rules-privileged-commands-newgidmap PASS medium worker-scan-audit-rules-privileged-commands-newgrp PASS medium worker-scan-audit-rules-privileged-commands-newuidmap PASS medium worker-scan-audit-rules-privileged-commands-pam-timestamp-check PASS medium worker-scan-audit-rules-privileged-commands-passwd PASS medium worker-scan-audit-rules-privileged-commands-postdrop PASS medium worker-scan-audit-rules-privileged-commands-postqueue PASS medium worker-scan-audit-rules-privileged-commands-pt-chown PASS medium worker-scan-audit-rules-privileged-commands-ssh-keysign PASS medium worker-scan-audit-rules-privileged-commands-su PASS medium worker-scan-audit-rules-privileged-commands-sudo PASS medium worker-scan-audit-rules-privileged-commands-sudoedit PASS medium worker-scan-audit-rules-privileged-commands-umount PASS medium worker-scan-audit-rules-privileged-commands-unix-chkpwd PASS medium worker-scan-audit-rules-privileged-commands-userhelper PASS medium worker-scan-audit-rules-privileged-commands-usernetctl PASS medium worker-scan-sysctl-kernel-unprivileged-bpf-disabled PASS medium $ oc get mc -l compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=wscan | grep execution 75-worker-scan-audit-rules-execution-chcon 3.1.0 22m 75-worker-scan-audit-rules-execution-restorecon 3.1.0 22m 75-worker-scan-audit-rules-execution-semanage 3.1.0 22m 75-worker-scan-audit-rules-execution-setfiles 3.1.0 22m 75-worker-scan-audit-rules-execution-setsebool 3.1.0 22m 75-worker-scan-audit-rules-execution-seunshare 3.1.0 22m $ oc get complianceremediations.compliance.openshift.io |grep execution worker-scan-audit-rules-execution-chcon Applied worker-scan-audit-rules-execution-restorecon Applied worker-scan-audit-rules-execution-semanage Applied worker-scan-audit-rules-execution-setfiles Applied worker-scan-audit-rules-execution-setsebool Applied worker-scan-audit-rules-execution-seunshare Applied $ oc get compliancecheckresult.compliance.openshift.io |grep execution worker-scan-audit-rules-execution-chcon PASS medium worker-scan-audit-rules-execution-restorecon PASS medium worker-scan-audit-rules-execution-semanage PASS medium worker-scan-audit-rules-execution-setfiles PASS medium worker-scan-audit-rules-execution-setsebool PASS medium worker-scan-audit-rules-execution-seunshare PASS medium
(In reply to Prashant Dhamdhere from comment #3) > [ Bug Verification ] > > Looks good to me. There are total 245 rules and out of that 44 rules are > passed and 196 rules are > failed before remediations get applied. The auto-remediations applied total > 102 rules and after > rescan performed total 101 rules are passed and 1 skipped [101 (PASS) + 1 > (SKIP) = 102 ] > So total 145 rules are passed [44 + 101 (PASS) = 145 ] after remediations > get applied. > Correction: The auto-remediations applied total 102 rules and after rescan performed total 101 rules are passed and 1 rule status remained same i.e INFO [101 (PASS) + 1 (INFO) = 102 ]
@pdhamdhe what rule was left?
(In reply to Juan Antonio Osorio from comment #5) > @pdhamdhe what rule was left? Hi Juan, The below marked rule status was INFO before remediation gets applied and it's status remained same i.e INFO after remediation gets applied and performed rescan. $ oc get compliancecheckresults.compliance.openshift.io | grep INFO worker-scan-bios-disable-usb-boot INFO unknown worker-scan-coreos-vsyscall-kernel-argument INFO medium <<------ worker-scan-sshd-limit-user-access INFO unknown worker-scan-wireless-disable-in-bios INFO unknown $ oc get complianceremediation worker-scan-coreos-vsyscall-kernel-argument NAME STATE worker-scan-coreos-vsyscall-kernel-argument Applied The auto-remediations applied total 102 rules out of that 101 rules are passed and 1 rule (marked above) status shows INFO after remediation get applied.
One of my customer reported similar issue in his environment. OpenShift version: 4.6 Profile applied: rhcos4-moderate Nodes applied: Master nodes I was able to reproduce it in the lab. scansettings used for the scan: ~~~ $ cat scansettings.yaml apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSetting metadata: name: mcp-compliance-scansetting-test namespace: openshift-compliance autoApplyRemediations: false rawResultStorage: storageClassName: gp2 rotation: 0 size: 1Gi roles: - master --- apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: mcp-compliance-scansettingbinding-moderate profiles: # Node checks - name: rhcos4-moderate kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: mcp-compliance-scansetting-test kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 $ ~~~ 1st scan: Compliancescan, compliancecheckresults and complianceremediation status: ~~~ $ oc get compliancescans NAME PHASE RESULT ocp4-e8 DONE NON-COMPLIANT rhcos4-e8-worker DONE NON-COMPLIANT rhcos4-moderate-master DONE NON-COMPLIANT $ oc get compliancecheckresults | grep rhcos4-moderate-master | egrep "chcon|restorecon|semanage|setfiles|setsebool|seunshare" rhcos4-moderate-master-audit-rules-execution-chcon FAIL medium rhcos4-moderate-master-audit-rules-execution-restorecon FAIL medium rhcos4-moderate-master-audit-rules-execution-semanage FAIL medium rhcos4-moderate-master-audit-rules-execution-setfiles FAIL medium rhcos4-moderate-master-audit-rules-execution-setsebool FAIL medium rhcos4-moderate-master-audit-rules-execution-seunshare FAIL medium $ oc get complianceremediations | grep rhcos4-moderate-master | egrep "chcon|restorecon|semanage|setfiles|setsebool|seunshare" rhcos4-moderate-master-audit-rules-execution-chcon NotApplied rhcos4-moderate-master-audit-rules-execution-restorecon NotApplied rhcos4-moderate-master-audit-rules-execution-semanage NotApplied rhcos4-moderate-master-audit-rules-execution-setfiles NotApplied rhcos4-moderate-master-audit-rules-execution-setsebool NotApplied rhcos4-moderate-master-audit-rules-execution-seunshare NotApplied ~~~ Applied remediation manually, attempted twice, however result remain same. ComplianeCheckResults showing "FAIL", however ComplianceRemediations shows "Applied": ~~~ $ oc get compliancescans NAME PHASE RESULT ocp4-e8 DONE NON-COMPLIANT rhcos4-e8-worker DONE NON-COMPLIANT rhcos4-moderate-master DONE NON-COMPLIANT $ oc get compliancecheckresults | grep rhcos4-moderate-master | egrep "chcon|restorecon|semanage|setfiles|setsebool|seunshare" rhcos4-moderate-master-audit-rules-execution-chcon FAIL medium rhcos4-moderate-master-audit-rules-execution-restorecon FAIL medium rhcos4-moderate-master-audit-rules-execution-semanage FAIL medium rhcos4-moderate-master-audit-rules-execution-setfiles FAIL medium rhcos4-moderate-master-audit-rules-execution-setsebool FAIL medium rhcos4-moderate-master-audit-rules-execution-seunshare FAIL medium $ oc get complianceremediations | grep rhcos4-moderate-master | egrep "chcon|restorecon|semanage|setfiles|setsebool|seunshare" rhcos4-moderate-master-audit-rules-execution-chcon Applied rhcos4-moderate-master-audit-rules-execution-restorecon Applied rhcos4-moderate-master-audit-rules-execution-semanage Applied rhcos4-moderate-master-audit-rules-execution-setfiles Applied rhcos4-moderate-master-audit-rules-execution-setsebool Applied rhcos4-moderate-master-audit-rules-execution-seunshare Applied ~~~ I see new MachineConfigs are created for the remediation applied. And from these new MachineConfigs I also see two new MachineConfigPools got created. These new MCP got applied to the nodes, in this case master, and also rebooted the nodes in the process to apply MCP. ~~~ $ oc get mc NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 00-master fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d 00-worker fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d 01-master-container-runtime fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d 01-master-kubelet fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d 01-worker-container-runtime fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d 01-worker-kubelet fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d 75-rhcos4-e8-worker-audit-rules-dac-modification-chmod 3.1.0 3h58m 75-rhcos4-moderate-master-audit-rules-execution-chcon 3.1.0 22m 75-rhcos4-moderate-master-audit-rules-execution-restorecon 3.1.0 22m 75-rhcos4-moderate-master-audit-rules-execution-semanage 3.1.0 22m 75-rhcos4-moderate-master-audit-rules-execution-setfiles 3.1.0 22m 75-rhcos4-moderate-master-audit-rules-execution-setsebool 3.1.0 22m 75-rhcos4-moderate-master-audit-rules-execution-seunshare 3.1.0 21m 99-master-generated-registries fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d 99-master-ssh 3.1.0 2d 99-worker-generated-registries fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d 99-worker-ssh 3.1.0 2d rendered-master-3dc24c98ba2cddfacbb5b3f2a11d1bb6 fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d rendered-master-797ded8744a2735930592f0aa5794a1b fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 22m rendered-master-c61524ba6e417367a4203687f01348f4 fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 20m rendered-worker-bef22d2d2ab4bd667bd28ce6b99b5dde fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 2d rendered-worker-d9cf86946c5b75317325474f1f17e21a fc2e69c4408d898b24760eea9e889f0673369e67 3.1.0 3h58m $ oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-c61524ba6e417367a4203687f01348f4 True False False 3 3 3 0 2d1h worker rendered-worker-d9cf86946c5b75317325474f1f17e21a True False False 2 2 2 0 2d1h ~~~
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0436